<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Hacker News: jamiesonbecker</title><link>https://news.ycombinator.com/user?id=jamiesonbecker</link><description>Hacker News RSS</description><docs>https://hnrss.org/</docs><generator>hnrss v2.1.1</generator><lastBuildDate>Mon, 13 Jul 2026 03:50:30 +0000</lastBuildDate><atom:link href="https://hnrss.org/user?id=jamiesonbecker" rel="self" type="application/rss+xml"></atom:link><item><title><![CDATA[New comment by jamiesonbecker in "Put your SSH keys in your TPM chip"]]></title><description><![CDATA[
<p>Rotating keys is easy with the right software.  (I work @ Userify) Agree with the auditing point<p>Token-based keys, to tptacek's point, is that they can be a giant pain once you start scripting across fleets.</p>
]]></description><pubDate>Thu, 16 Apr 2026 22:37:06 +0000</pubDate><link>https://news.ycombinator.com/item?id=47800400</link><dc:creator>jamiesonbecker</dc:creator><comments>https://news.ycombinator.com/item?id=47800400</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47800400</guid></item><item><title><![CDATA[New comment by jamiesonbecker in "Put your SSH keys in your TPM chip"]]></title><description><![CDATA[
<p>One key per device is exactly what we recommend too. Private keys should always be protected as much as possible <i>within</i> that device and should never leave that device.<p>Just paste all of your devices' <i>public</i> keys into your authorized_keys file and leave a comment at the end for what device it's for. in Userify, it literally goes right into your nodes' authorized_keys file almost verbatim. (disclaimer: I work at <a href="https://Userify.com" rel="nofollow">https://Userify.com</a>)<p>And then, if you leave your token or laptop at the airport or whatever, just remove that key right from your phone and it'll take effect in seconds across all the nodes/instances (if you're using Userify) or you can just write a quick <i>for-inline-sed</i> loop to remove it from your authorized keys everywhere.</p>
]]></description><pubDate>Thu, 16 Apr 2026 21:52:57 +0000</pubDate><link>https://news.ycombinator.com/item?id=47799989</link><dc:creator>jamiesonbecker</dc:creator><comments>https://news.ycombinator.com/item?id=47799989</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47799989</guid></item><item><title><![CDATA[New comment by jamiesonbecker in "NanoClaw's architecture is a masterclass in doing less"]]></title><description><![CDATA[
<p>The next one linked at the bottom, <a href="https://jonno.nz/posts/stealing-nanoclaw-patterns-for-webapps-and-saas/" rel="nofollow">https://jonno.nz/posts/stealing-nanoclaw-patterns-for-webapp...</a> has this bold and frankly unbelievable claim:<p>"70% of startups fail due to premature scaling"<p>.. which is a link to another blog post somewhere else that says nothing even slightly related.</p>
]]></description><pubDate>Tue, 07 Apr 2026 17:00:32 +0000</pubDate><link>https://news.ycombinator.com/item?id=47678260</link><dc:creator>jamiesonbecker</dc:creator><comments>https://news.ycombinator.com/item?id=47678260</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47678260</guid></item><item><title><![CDATA[New comment by jamiesonbecker in "SSH certificates: the better SSH experience"]]></title><description><![CDATA[
<p>Then install your own:<p><pre><code>    curl i.userify.com | sudo - sE</code></pre></p>
]]></description><pubDate>Sat, 04 Apr 2026 03:03:03 +0000</pubDate><link>https://news.ycombinator.com/item?id=47635248</link><dc:creator>jamiesonbecker</dc:creator><comments>https://news.ycombinator.com/item?id=47635248</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47635248</guid></item><item><title><![CDATA[New comment by jamiesonbecker in "SSH certificates: the better SSH experience"]]></title><description><![CDATA[
<p>The experience might be better right up until you're running it in prod and someone happens to ask about:<p><pre><code>   Cert revocation (or even expiration)

   Sudo roles

   User removal and process termination

   Is the cert server HA and locked down

   How you log in when the cert server is down or under attack (rich target!)

   How to easily add Alice to server group A, Bob to B, and Carlos to both A and B, and then to remove them..
</code></pre>
(disclaimer we're celebrating our 15th anniversary at <a href="https://Userify.com" rel="nofollow">https://Userify.com</a>, but those are actually legit concerns and not only a sales pitch. You certainly <i>can</i> build a solid and secure ssh cert infra, but doing it in production is just not an easy set-it-and-forget-it sort of thing.)</p>
]]></description><pubDate>Sat, 04 Apr 2026 00:58:48 +0000</pubDate><link>https://news.ycombinator.com/item?id=47634418</link><dc:creator>jamiesonbecker</dc:creator><comments>https://news.ycombinator.com/item?id=47634418</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47634418</guid></item><item><title><![CDATA[New comment by jamiesonbecker in "SSH certificates: the better SSH experience"]]></title><description><![CDATA[
<p>Honestly, we used to replace a lot of <i>pam_ldap</i> and similar sorts of awful solutions. With those, if your LDAP went down even for a heartbeat, you couldn't log in at all.<p>So I totally agree: if I had to do certificates and didn't have something like Userify, a 1 hour (or even shorter if possible) expiration seems quite worth chasing, especially with suitable highly available configuration. (Of course, TFA doesn't even bother mentioning <i>revocation</i> and <i>expiration</i>, which should give you a clue as to how much fun those are lol)<p>And for more normal, lower-security requirements or non-HA, 6 or 8 hours or so would probably work and give you plenty of time for even serious system outages before the certs expired.<p>Not to hard shill or anything (apologies in advance, just skip if you're not interested), but there are two <i>significant</i> security and reliability differences between standard SSH (with or without certificates) and Userify:<p>1. Userify Cloud updates by default every <i>three minutes</i>, and on-premise Userify Express/Enterprise updates every ten seconds, but it doesn't <i>have</i> to update at all; even if your Userify server goes offline forever, you can still log in because the accounts are standard UNIX accounts (literally created with `useradd`)<p>2. When accounts are removed, Userify also completely nukes the user account, removes its sudo perms, and totally <i>kill -9</i> 's any tmux/screen/etc sessions (<i>all</i> processes owned by the user are terminated across the entire enterprise within seconds), which is also not something that a certificate expiration would ever do.</p>
]]></description><pubDate>Sat, 04 Apr 2026 00:40:02 +0000</pubDate><link>https://news.ycombinator.com/item?id=47634288</link><dc:creator>jamiesonbecker</dc:creator><comments>https://news.ycombinator.com/item?id=47634288</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47634288</guid></item><item><title><![CDATA[New comment by jamiesonbecker in "SSH certificates: the better SSH experience"]]></title><description><![CDATA[
<p>Great question. Not yet ;)</p>
]]></description><pubDate>Sat, 04 Apr 2026 00:31:53 +0000</pubDate><link>https://news.ycombinator.com/item?id=47634214</link><dc:creator>jamiesonbecker</dc:creator><comments>https://news.ycombinator.com/item?id=47634214</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47634214</guid></item><item><title><![CDATA[New comment by jamiesonbecker in "SSH certificates: the better SSH experience"]]></title><description><![CDATA[
<p>Well, TOFU is really just the model for how the chain of trust is established.<p>In practice there isn’t really <i>trust on first use</i>: there’s <i>verify the key matches what’s expected</i>, or <i>distribute keys out-of-band</i> (including certs).<p>If that verification step isn’t happening, then it’s not TOFU, it’s just blind trust.<p>From an automation/autoscaling angle, the same thing shows up again:<p>1. either keys are pre-baked / distributed<p>2. or, something signs them at boot<p>Signing an instance key is just another way of distributing trust. It doesn’t remove the need for a root of trust, it moves it.<p>Certificates just add extra steps around the same underlying task.</p>
]]></description><pubDate>Fri, 03 Apr 2026 21:10:43 +0000</pubDate><link>https://news.ycombinator.com/item?id=47632331</link><dc:creator>jamiesonbecker</dc:creator><comments>https://news.ycombinator.com/item?id=47632331</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47632331</guid></item><item><title><![CDATA[New comment by jamiesonbecker in "SSH certificates: the better SSH experience"]]></title><description><![CDATA[
<p>That works for authn in the happy path: short-lived cert, grab it, connect, done.<p>Except for everything around that:<p>* user lifecycle (create/remove/rename accounts)<p>* authz (who gets sudo, what groups, per-host differences)<p>* cleanup (what happens when someone leaves)<p>* visibility (what state is this box actually in right now?)<p>SSH certs don’t really touch any of that. They answer <i>can this key log in right now,</i> not <i>what should exist on this machine.</i><p>So in practice, something else ends up managing users, groups, sudoers, home dirs, etc. Now there are two systems that both have to be correct.<p>On the availability point: "reasonably available" is doing a lot of work ;)<p>Even with 1-hour certs:<p>* new sessions depend on the signer<p>* fleet-wide issues hit everything at once<p>* incident response gets awkward if the signer is part of the blast radius<p>The failure mode shifts from <i>a few boxes don't work</i> to <i>nobody</i> can get in <i>anywhere</i><p>The pull model just leans the other way:<p>* nodes converge to desired state<p>* access continues even if control plane hiccups<p>* authn and authz live together on the box<p>Both models can work - it’s more about which failure mode is tolerable to you.</p>
]]></description><pubDate>Fri, 03 Apr 2026 16:40:47 +0000</pubDate><link>https://news.ycombinator.com/item?id=47628908</link><dc:creator>jamiesonbecker</dc:creator><comments>https://news.ycombinator.com/item?id=47628908</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47628908</guid></item><item><title><![CDATA[New comment by jamiesonbecker in "SSH certificates: the better SSH experience"]]></title><description><![CDATA[
<p>SSH certs quietly hurt in prod. Short-lived creds + centralized CA just moves complexity upward without solving the core problem: user management.<p>The system shifts from many small local states to one highly coupled control point. That control point has to be correct and reachable all the time. When it isn’t, failures go wide instead of narrow.<p>Example: a few boxes get popped and start hammering the CA. Now what? Access is broken everywhere at once.<p>Common friction points:<p><pre><code>     1. your signer that has to be up and correct all the time
     2. trust roots everywhere (and drifting)
     3. TTL tuning nonsense (too short = random lockouts, too long = what was the point)
     4. limited on-box state makes debugging harder than it should be
     5. failures tend to fan out instead of staying contained
</code></pre>
Revocation is also kind of a lie. Just waiting for expiry and hoping that’s good enough.<p>What actually happens is people reintroduce state anyway: sidecars, caches, agents… because you need it.<p>We went the opposite direction:<p><pre><code>     1. nodes pull over outbound HTTPS
     2. local authorized_keys is the source of truth locally
     3. users/roles are visible on the box
     4. drift fixes itself quickly
     5. no inbound ports, no CA signatures (WELL, not strictly true*!)
</code></pre>
You still get central control, but operation and failure modes are local instead of "everyone is locked out right now."<p>That’s basically what we do at Userify (<a href="https://userify.com" rel="nofollow">https://userify.com</a>). Less elegant than certs, more survivable at 2am. Also actually handles authz, not just part of authn.<p>And the part that usually gets hand-waved with SSH CAs:<p><pre><code>     1. creating the user account
     2. managing sudo roles
     3. deciding what happens to home directories on removal
     4. cleanup vs retention for compliance/forensics
</code></pre>
Those don’t go away - they're just not part of the certificate solution.<p>* (TLS still exists here, just at the transport layer using the system trust store. That channel delivers users, keys, and roles. The rest is handled explicitly instead of implied.)</p>
]]></description><pubDate>Fri, 03 Apr 2026 16:26:46 +0000</pubDate><link>https://news.ycombinator.com/item?id=47628687</link><dc:creator>jamiesonbecker</dc:creator><comments>https://news.ycombinator.com/item?id=47628687</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47628687</guid></item><item><title><![CDATA[New comment by jamiesonbecker in "SSH certificates: the better SSH experience"]]></title><description><![CDATA[
<p>But then you can't log in if your box goes offline for any reason.</p>
]]></description><pubDate>Fri, 03 Apr 2026 16:16:05 +0000</pubDate><link>https://news.ycombinator.com/item?id=47628547</link><dc:creator>jamiesonbecker</dc:creator><comments>https://news.ycombinator.com/item?id=47628547</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47628547</guid></item><item><title><![CDATA[New comment by jamiesonbecker in "SSH certificates: the better SSH experience"]]></title><description><![CDATA[
<p>We're in the process of updating the experience to <i>this century</i>! ;)<p>We've always taken the stance that crusty is better than vulnerable, but it turns out that not having a modern experience after 15 years is starting to feel like maybe we need to step up the features and shininess :)</p>
]]></description><pubDate>Fri, 03 Apr 2026 16:13:36 +0000</pubDate><link>https://news.ycombinator.com/item?id=47628508</link><dc:creator>jamiesonbecker</dc:creator><comments>https://news.ycombinator.com/item?id=47628508</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47628508</guid></item><item><title><![CDATA[New comment by jamiesonbecker in "SSH certificates: the better SSH experience"]]></title><description><![CDATA[
<p>Exactly. We'd had discussions about building <a href="https://Userify.com" rel="nofollow">https://Userify.com</a> (plug!) around SSH certificates, but elected to go with keys instead, because Userify delivers most of the good things around certificates without the jank and insecurity.<p>It's not that certificates themselves are insecure themselves, it's that the workflows (as the parent points out) are awful. We might still add some automation around that (and I think I saw some competitor tooling out there if you're committed to that path) but I personally feel like it's an answer to the wrong question.</p>
]]></description><pubDate>Fri, 03 Apr 2026 16:10:57 +0000</pubDate><link>https://news.ycombinator.com/item?id=47628467</link><dc:creator>jamiesonbecker</dc:creator><comments>https://news.ycombinator.com/item?id=47628467</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47628467</guid></item><item><title><![CDATA[New comment by jamiesonbecker in "Disable Your SSH access accidentally with scp"]]></title><description><![CDATA[
<p>Classic OpenSSH safety check: if /home/$user (or ~/.ssh) is too open, or ownership/modes are off, sshd will refuse pubkey auth. Annoying, but correct.<p>If you still have some access (console, password login, another sudo user), this usually fixes it:<p><pre><code>    username=bob
    sudo chown "$username:$username" /home/$username
    sudo chmod 700 /home/$username

    sudo install -d -m 700 -o "$username" -g "$username" /home/$username/.ssh
    echo "ssh-ed25519 AAAA....insertyourpubkeyhere" | sudo tee /home/$username/.ssh/authorized_keys >/dev/null
    sudo chown "$username:$username" /home/$username/.ssh/authorized_keys
    sudo chmod 600 /home/$username/.ssh/authorized_keys
</code></pre>
(optional, if the user needs sudo)<p><pre><code>    echo "$username ALL=(ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/$username >/dev/null
    sudo chmod 440 /etc/sudoers.d/$username
</code></pre>
Not to shill too hard, but this exact "keys/perms/sudo drift" failure mode is why Userify exists (est. 2011): local accounts on every box + a tiny outbound-only agent that polls and overwrites desired state (keys, perms, sudo role). If scp/rsync/deploy steps clobber stuff, the next poll re-converges it (cloud default ~90s; self-host default ~10s; configurable). Removing a user also kills their sessions. No inbound ports to nodes, no PAM/NSS hooks, auditable.<p>Shim (old but readable): <a href="https://github.com/userify/shim/blob/master/shim.py#L308" rel="nofollow">https://github.com/userify/shim/blob/master/shim.py#L308</a>
(obligatory): <a href="https://userify.com" rel="nofollow">https://userify.com</a></p>
]]></description><pubDate>Tue, 03 Mar 2026 23:17:34 +0000</pubDate><link>https://news.ycombinator.com/item?id=47240505</link><dc:creator>jamiesonbecker</dc:creator><comments>https://news.ycombinator.com/item?id=47240505</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47240505</guid></item><item><title><![CDATA[New comment by jamiesonbecker in "We replaced H.264 streaming with JPEG screenshots (and it worked better)"]]></title><description><![CDATA[
<p>at least it had a minimum of Clause. Clause. Punchline.</p>
]]></description><pubDate>Tue, 23 Dec 2025 19:02:53 +0000</pubDate><link>https://news.ycombinator.com/item?id=46368215</link><dc:creator>jamiesonbecker</dc:creator><comments>https://news.ycombinator.com/item?id=46368215</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=46368215</guid></item><item><title><![CDATA[New comment by jamiesonbecker in "We replaced H.264 streaming with JPEG screenshots (and it worked better)"]]></title><description><![CDATA[
<p>I like it too, even though it has that distinctive odor of being totally written by chatgpt though. (a bit distracting tbh)</p>
]]></description><pubDate>Tue, 23 Dec 2025 19:00:08 +0000</pubDate><link>https://news.ycombinator.com/item?id=46368183</link><dc:creator>jamiesonbecker</dc:creator><comments>https://news.ycombinator.com/item?id=46368183</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=46368183</guid></item><item><title><![CDATA[New comment by jamiesonbecker in "We replaced H.264 streaming with JPEG screenshots (and it worked better)"]]></title><description><![CDATA[
<p>One of the big issues was latency.</p>
]]></description><pubDate>Tue, 23 Dec 2025 18:59:10 +0000</pubDate><link>https://news.ycombinator.com/item?id=46368166</link><dc:creator>jamiesonbecker</dc:creator><comments>https://news.ycombinator.com/item?id=46368166</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=46368166</guid></item><item><title><![CDATA[New comment by jamiesonbecker in "We built another object storage"]]></title><description><![CDATA[
<p>Thank you for the comprehensive answers!<p>(By the way: NVIDIA AIstore is NOT a proxying/caching engine, although it can, which is somewhat unique among these types of stores. AIstore is actually a full S3 engine in its own right, and it's actually extremely capable, although live cluster resizing and ETL requires k8s :( )</p>
]]></description><pubDate>Sun, 14 Dec 2025 00:59:00 +0000</pubDate><link>https://news.ycombinator.com/item?id=46259850</link><dc:creator>jamiesonbecker</dc:creator><comments>https://news.ycombinator.com/item?id=46259850</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=46259850</guid></item><item><title><![CDATA[New comment by jamiesonbecker in "We built another object storage"]]></title><description><![CDATA[
<p>These questions are meant to be constructively critical, but not hyper-critical: I'm genuinely interested and a big fan of open-source projects in this space:<p>* In terms of a high-performance AI-focused S3 competitor, how does this compare to NVIDIA's AIstore? <a href="https://aistore.nvidia.com/" rel="nofollow">https://aistore.nvidia.com/</a><p>* What's the clustering story? Is it complex like ceph, requires K8s like AIstore for full functionality, or is it more flexible like Garage, Minio, etc?<p>* You spend a lot of time talking about performance; do you have any benchmarks?<p>*  Obviously most of the page was written by ChatGPT: what percentage of the code was written by AI, and has it been reviewed by a human?<p>*  How does the object storage itself work? How is it architected? Do you DHT, for example? What tradeoffs are there (CAP, for example) vs the 1.4 gazillion alternatives?<p>* Are there any front-end or admin tools (and screenshots)?<p>* Can a cluster scale horizontally or only vertically (ie Minio)<p>* Why not instead just fork a previous version of Minio and then put a high-speed metadata layer on top?<p>* Is there any telemetry?<p>* Although it doesn't matter as much for my use case as for others, what is the specific jurisdiction of origin?<p>* Is there a CLA and does that CLA involve assigning rights like copyright (helps prevent the 'rug-pull' closing-source scenario)?<p>* Is there a non-profit Foundation, goal for CNCF sponsorship or other trusted third-party to ensure that the software remains open source (although forks of prior versions mostly mitigates that concern)?<p>Thanks!</p>
]]></description><pubDate>Sat, 13 Dec 2025 14:55:33 +0000</pubDate><link>https://news.ycombinator.com/item?id=46254941</link><dc:creator>jamiesonbecker</dc:creator><comments>https://news.ycombinator.com/item?id=46254941</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=46254941</guid></item><item><title><![CDATA[New comment by jamiesonbecker in "Show HN: Gemini Pro 3 imagines the HN front page 10 years from now"]]></title><description><![CDATA[
<p>> 8. Google kills Gemini Cloud Services (killedbygoogle.com)<p>So, Google renamed itself to <i>Gemini</i>?<p>Instead of Google having a product named Gemini, Gemini has a product named <i>Google</i>.<p>pattern recognition much?</p>
]]></description><pubDate>Tue, 09 Dec 2025 19:43:05 +0000</pubDate><link>https://news.ycombinator.com/item?id=46209607</link><dc:creator>jamiesonbecker</dc:creator><comments>https://news.ycombinator.com/item?id=46209607</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=46209607</guid></item></channel></rss>